userdoc:tt_ldap_client

LDAP Client

AstLinux includes the LDAP client libraries along with command line tools that can be used to query an LDAP server. PHP scripts may also act as an LDAP client where the query results can be easily filtered and acted upon.

Note: AstLinux 1.1.2 or later is required

LDAP Client System Defaults

Since AstLinux would typically only query a single LDAP server, it is convenient to define global system defaults that can be used by client queries. Of course an LDAP client may override any of the system defaults if desired.

Select the Network Tab in the web interface.
Network Tab

LDAP Client Defaults

  • LDAP Server URI(s): Space separated list of LDAP servers(s) as URI(s).
  • LDAP Base DN: Default base DN to use when performing LDAP operations. The base must be specified as a Distinguished Name in LDAP format.
  • LDAP Dereferencing:
    • [never] - Aliases are never dereferenced. This is the default.
    • [searching] - Aliases are dereferenced in subordinates of the base object, but not in locating the base object of the search.
    • [finding] - Aliases are only dereferenced when locating the base object of the search.
    • [always] - Aliases are dereferenced both in searching and in locating the base object of the search.
  • LDAP TLS Cert Check:
    • [never] - The client will not request or check any server certificate.
    • [allow] - The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, it will be ignored and the session proceeds normally.
    • [try] - The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad certificate is provided, the session is immediately terminated.
    • [demand] - The server certificate is requested. If no certificate is provided, or a bad certificate is provided, the session is immediately terminated.
      • Server CA Cert File: CA file for [try] and [demand]. Example: /mnt/kd/ssl/ca-ldap.pem

Phone LDAP Directory CGI Script

If your LDAP server's base DN allows anonymous queries, including names and phone numbers, AstLinux provides an unauthenticated Phone LDAP Directory CGI Script to perform anonymous LDAP queries.

While some IP Phones provide some sort of LDAP client address book, this CGI script provides a common result across many types of phones, even if they are not LDAP enabled.

Note -> The Network tab “LDAP Server URI(s):” entry must be defined for this directory CGI script to be enabled.

The phone-ldap-dir.php CGI script is similar to the phone-dir.php CGI script, but uses the “LDAP Client System Defaults” settings to query the data.

Examples: 

https://pbx/phone-ldap-dir.php?type=yealink&search=smith
https://pbx/phone-ldap-dir.php?tls&type=snom&search=jones

The type may include: generic, polycom, aastra, yealink, or snom (defaults to “generic”)

Custom LDAP Directory CGI Script

If your LDAP server's base DN does not allow anonymous queries for names and phone numbers, a custom version of phone-ldap-dir.php is required. It is recommneded placing a custom copy of phone-ldap-dir.php in the /mnt/kd/phoneprov/ directory which will be served via HTTP/HTTPS as /phoneprov/ .

Tip -> A working knowledge of PHP is required.

If the /mnt/kd/phoneprov/ directory does not exist, create it and restart lighttpd from the CLI, otherwise this step can be skipped. 

mkdir /mnt/kd/phoneprov
service lighttpd stop
service lighttpd init

Then copy the original phone-ldap-dir.php script to the /mnt/kd/phoneprov/ directory… 

cp /stat/var/www/phone-ldap-dir.php /mnt/kd/phoneprov/

Next, edit the /mnt/kd/phoneprov/phone-ldap-dir.php script to suit your needs. If authentication is required look for this section and define both $user and $pass variables. 

// begin - Custom variables, don't edit origional phone-ldap-dir.php script.
// Copy this script to /mnt/kd/phoneprov/phone-ldap-dir.php to make changes.
$user = '';
$pass = '';
$proto_version = 3;
$ms_ad = FALSE;       // Set to TRUE for Active Directory server
// end

The custom script is called per the following example, just as previously but with /phoneprov/ and usually with tls enabled. 

https://pbx/phoneprov/phone-ldap-dir.php?tls&type=snom&search=jones


Note -> You may want to restrict access via the web server for /phoneprov/ access. Using the Network tab in the web interface…

Network → Network Services:

Network Tab

Phone LDAP Directory CLI Scripts

In addition to the HTTPS CGI script described above, AstLinux also supports Command-Line-Interface (CLI) scripts to access LDAP directory data. By default the scripts are configured to access the LDAP server with anonymous access (possibly 'localhost' when the LDAP Server enabled). If user/pass authentication is required it is suggested to copy the script from /usr/bin/ to /mnt/kd/bin/ and customize the script accordingly.

Note: AstLinux 1.1.4 or later is required

If the local LDAP Server is enabled and populated with a directory, the typical LDAP Client setting to anonymously access via localhost is as follows:

LDAP Client Defaults

ldap-phone-num-lookup 

Usage: ldap-phone-num-lookup [-ht] [--tls] [-m|--match-num list] [-o|--output-name list] number

Options:
    -h, --help             Show help
    -t, --tls              Enable TLS using start_tls
    -m, --match-num list   Comma separated list to match number. Default: telephonenumber,mobile,cellphone,homephone
    -o, --output-name list Comma separated list to display the name. Default: displayname,cn,sn,givenname

By default the 'number' is matched as: (|(telephonenumber=$number)(mobile=$number)(cellphone=$number)(homephone=$number))

Standard output returns the first displayname/cn/sn/givenname that contains a matching number.

Use the optional -m|–match-num list and -o|–output-name list options to limit and specify the order of the matching and output.

ldap-phone-name-lookup 

Usage: ldap-phone-name-lookup [-ht] [--tls] [-m|--match-name list] [-o|--output-num list] name

Options:
    -h, --help             Show help
    -t, --tls              Enable TLS using start_tls
    -m, --match-name list  Comma separated list to match name. Default: cn,displayname
    -o, --output-num list  Comma separated list to display numbers. Default: telephonenumber,mobile,cellphone,homephone

By default the 'name' is matched as: (|(cn=$name)(displayname=$name))

Standard output returns (multiple) phone number(s) separated by a tilde (~).

Use the optional -m|–match-name list and -o|–output-num list options to limit and specify the order of the matching and output.

Asterisk Usage Examples

Examples how the ldap-phone-name-lookup and ldap-phone-num-lookup scripts can be used an Asterisk dialplan.

CallerID number lookup via LDAP and AstDB 

[subCID-lookup]
; CallerID(num) lookup, first LDAP then AstDB
exten => s,1,NoOp(CallerID lookup, first LDAP then AstDB ...)
 same => n,ExecIf($[ $["${CALLERID(num)}" != ""] & $["${CALLERID(name)}" = ""] ]?Set(LDAP_Name=${SHELL(ldap-phone-num-lookup '${ARG1}')})
 same => n,ExecIf($["${LDAP_Name}" != ""]?Set(CALLERID(name)=${LDAP_Name}))
 same => n,ExecIf($[ $["${CALLERID(num)}" != ""] & $["${CALLERID(name)}" = ""] ]?Set(CALLERID(name)=${DB(cidname/${CALLERID(num)})}))
 same => n,Return()

And in your incoming context put this line somewhere: 

exten => s,n,GoSub(subCID-lookup,s,1(${CALLERID(num)}))
  • userdoc/tt_ldap_client.txt
  • Last modified: 2013/11/18 08:37
  • by abelbeck